Learn complete reconnaissance (recon) in ethical hacking from beginner to advanced. Discover the best recon tools, OSINT techniques, subdomain enumeration, Nmap scanning, and real-world workflows in this step-by-step guide.
🔑 Focus Keypoints
- Reconnaissance in ethical hacking
- Recon tools list
- Beginner to advanced recon guide
- Subdomain enumeration tools
- OSINT techniques cybersecurity
- Nmap tutorial
- Bug bounty recon workflow
📌 Introduction
Reconnaissance (Recon) is the first and most important phase in ethical hacking and bug bounty hunting.
Before exploiting any system, hackers gather as much information as possible about the target.
👉 In simple words:
Recon = Information Gathering
The more data you collect, the higher your chances of finding vulnerabilities.
🧠 What is Reconnaissance in Ethical Hacking?
Reconnaissance is the process of collecting information about a target system, website, or network.
It helps identify:
- Attack surface
- Entry points
- Weak configurations
- Hidden assets
🔥 Types of Reconnaissance
🟢 Passive Recon (Safe & Undetectable)
No direct interaction with the target.
Examples:
- Google Dorking
- WHOIS lookup
- Social media analysis
- Public data leaks
🔴 Active Recon (Detectable)
Direct interaction with the target system.
Examples:
- Port scanning
- Network scanning
- Service enumeration
🎯 Why Recon is Important in Bug Bounty?
- Finds hidden vulnerabilities
- Saves time during exploitation
- Increases success rate
- Helps bypass security systems
🛠️ Beginner Level Recon Techniques
🌐 1. Google Dorking (Powerful OSINT Method)
Google is one of the most powerful recon tools.
Examples:
site:example.com
site:example.com login
intitle:"index of"
filetype:pdf site:example.com
👉 Helps find:
- Admin panels
- Exposed files
- Sensitive documents
🌍 2. WHOIS Lookup
Find domain ownership details.
whois example.com
👉 Output includes:
- Domain owner
- DNS servers
🌐 3. DNS Enumeration
nslookup example.com
dig example.com
👉 Finds:
- IP addresses
- Mail servers
- DNS records
🧰 4. Beginner Recon Tools
🔹 theHarvester
theHarvester -d example.com -l 100 -b google
Find emails and subdomains.
🔹 WhatWeb
whatweb example.com
Detect technologies used by a website.
🔹 Wappalyzer
Browser extension to detect:
- CMS
- Frameworks
- Programming languages
🚀 Intermediate Recon Techniques
🔎 1. Subdomain Enumeration
Subdomains are hidden entry points.
🔹 Sublist3r
sublist3r -d example.com
🔹 Amass
amass enum -d example.com
🔹 Assetfinder
assetfinder example.com
👉 Combine all tools for maximum results.
🌐 2. Subdomain Validation
Check which subdomains are alive.
cat subdomains.txt | httpx
🔍 3. Directory Bruteforcing
🔹 Dirsearch
python3 dirsearch.py -u https://example.com
🔹 Gobuster
gobuster dir -u https://example.com -w wordlist.txt
👉 Finds hidden paths like:
- /admin
- /backup
- /dashboard
🔐 4. Port Scanning with Nmap
nmap -A example.com
Advanced scan:
nmap -sS -sV -p- example.com
👉 Reveals:
- Open ports
- Running services
- Versions
🌍 5. Wayback URLs
waybackurls example.com
👉 Discover:
- Old endpoints
- Hidden APIs
- Deleted pages
💀 Advanced Recon Techniques
🧠 1. Automation (Pro Level)
Automate recon process using scripts.
#!/bin/bash
domain=$1
sublist3r -d $domain -o subs.txt
amass enum -d $domain >> subs.txt
cat subs.txt | sort -u > final.txt
cat final.txt | httpx > alive.txt
🔍 2. Parameter Discovery
python3 paramspider.py --domain example.com
👉 Finds URLs like:
example.com/page.php?id=1
🔐 3. JavaScript Recon
python3 linkfinder.py -i https://example.com/app.js
👉 Extracts:
- API keys
- Endpoints
- Tokens
🌐 4. Screenshot Recon
cat alive.txt | aquatone
👉 Visual overview of targets.
🧬 5. GitHub Recon
Search on GitHub:
example.com api key
👉 Find leaked:
- Credentials
- API keys
🧰 6. Advanced Recon Tools List
- Recon-ng
- Maltego
- SpiderFoot
- Shodan
⚡ Real-World Recon Workflow (Step-by-Step)
✅ Step 1: Collect Domain
Start with target domain.
✅ Step 2: Subdomain Enumeration
Use:
- Sublist3r
- Amass
✅ Step 3: Filter Alive Domains
Use httpx.
✅ Step 4: Scan Ports
Use Nmap.
✅ Step 5: Find Hidden Directories
Use Gobuster.
✅ Step 6: Extract Parameters
Use ParamSpider.
✅ Step 7: Analyze JavaScript
Use LinkFinder.
✅ Step 8: Organize Data
Keep everything structured.
🧠 Pro Tips for Better Recon
🔥 Use Multiple Tools
No single tool is enough.
🔥 Keep Data Organized
recon/
├── subdomains.txt
├── alive.txt
├── urls.txt
├── ports.txt
🔥 Use Wordlists
- SecLists
- RockYou
🔥 Stay Anonymous
Use VPN or Tor.
🔥 Automate Everything
Automation = faster results.
⚠️ Legal Disclaimer
Only perform recon on:
- Your own systems
- Bug bounty programs
- Authorized targets
Unauthorized scanning is illegal.
🏁 Conclusion
Reconnaissance is the foundation of ethical hacking.
If your recon is strong:
- Finding bugs becomes easier
- Exploitation becomes faster
- Success rate increases
💡 Final Line
👉 “The best hackers are masters of information gathering.”